路由器-路由器以及×××-Client之间的×××
<?xml:namespace prefix = v ns = "urn:schemas-microsoft-com:vml" />
Cisco 2611 Router
***2611#show run
Building configuration...
Current configuration : 2265 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ***2611
!
!--- Enable aaa for user authentication
!--- and group authorization.
aaa new-model
!
!
!--- To enable X-Auth for user authentication,
!--- enable the aaa authentication commands.
aaa authentication login userauthen local
!--- To enable group authorization, enable
!--- the aaa authorization commands.
aaa authorization network groupauthor local
aaa session-id common
!
!--- For local authentication of the IPSec user,
!--- create the user with password.
username cisco password 0 cisco
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!--- Create an Internet Security Association and
!--- Key Management Protocol (ISAKMP)
!--- policy for Phase 1 negotiations for the ××× 3.x clients.
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!--- Create an ISAKMP policy for Phase 1
!--- negotiations for the LAN-to-LAN tunnels.
crypto isakmp policy 10
hash md5
authentication pre-share
!--- Specify the PreShared key for the LAN-to-LAN tunnel.
!--- Make sure that you use
!--- no-xauth parameter with your ISAKMP key.
crypto isakmp key cisco123 address 172.18.124.199 no-xauth
!
!--- Create a group that will be used to
!--- specify the WINS, DNS servers' address
!--- to the client, along with the pre-shared
!--- key for authentication.
crypto isakmp client configuration group 3000client
key cisco123
dns <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
!
!
!--- Create the Phase 2 Policy for actual data encryption.
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!--- Create a dynamic map and apply
!--- the transform set that was created above.
crypto dynamic-map dynmap 10
set transform-set myset
!
!
!--- Create the actual crypto map, and
!--- apply the aaa lists that were created
!--- earlier. Also create a new instance for your
!--- LAN-to-LAN tunnel. Specify the peer IP address,
!--- transform set and an Access Control List (ACL) for this
!--- instance.
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
set peer 172.18.124.199
set transform-set myset match address 100
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!
!--- Apply the crypto map on the outside interface.
interface Ethernet0/0
ip address 172.18.124.159 255.255.255.0
half-duplex
crypto map clientmap
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 10.10.10.1 255.255.255.0
no keepalive
half-duplex
!
!
!--- Create a pool of addresses to be
!--- assigned to the ××× Clients.
ip local pool ippool 14.1.1.100 14.1.1.200
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.124.1
ip http server
ip pim bidir-enable
!
!
!--- Create an ACL for the traffic
!--- to be encrypted. In this example,
!--- the traffic from 10.10.10.0/24 to 10.10.20.0/24
!--- would be encrypted.
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
!
!
snmp-server community foobar RO
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
!
end
Configuring the 3640 Router
Cisco 3640 Router
***3640#show run
Building configuration...
Current configuration : 1287 bytes
!
! Last configuration change at 13:47:37 UTC Wed Mar 6 2002
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ***3640
!
!
ip subnet-zero
ip cef
!
!--- Create an ISAKMP policy for Phase 1
!--- negotiations for the LAN-to-LAN tunnels.
crypto isakmp policy 10
hash md5
authentication pre-share
!--- Specify the PreShared key for the LAN-to-LAN
!--- tunnel. You do not have to add
!--- X-Auth parameter, as this
!--- router is not doing Cisco Unity Client IPSEC
!--- authentication.
crypto isakmp key cisco123 address 172.18.124.159
!
!
!--- Create the Phase 2 Policy for actual data encryption.
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!--- Create the actual crypto map. Specify
!--- the peer IP address, transform
!--- set and an ACL for this instance.
crypto map mymap 10 ipsec-isakmp
set peer 172.18.124.159
set transform-set myset
match address 100
!
call RSVP-sync
!
!
!
!--- Apply the crypto map on the outside interface.
interface Ethernet0/0
ip address 172.18.124.199 255.255.255.0
half-duplex
crypto map mymap
!
interface Ethernet0/1
ip address 10.10.20.1 255.255.255.0
half-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.124.1
ip http server
ip pim bidir-enable
!
!--- Create an ACL for the traffic to
!--- be encrypted. In this example,
!--- the traffic from 10.10.20.0/24 to 10.10.10.0/24
!--- would be encrypted.
access-list 100 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
snmp-server community foobar RO
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
end
Hub Router
2503#show running-config
Building configuration...
Current configuration : 1466 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log uptime
no service password-encryption
!
hostname 2503
!
!
ip subnet-zero
!
!
!--- Configuration for IKE policies.
crypto isakmp policy 10
!--- Enables the IKE policy configuration (config-isakmp)
!--- command mode, where you can specify the parameters that
!--- are used during an IKE negotiation.
hash md5
authentication pre-share
crypto isakmp key cisco123 address 200.1.2.1
crypto isakmp key cisco123 address 200.1.3.1
!--- Specifies the preshared key "cisco123" which should
!--- be identical at both peers. This is a global
!--- configuration mode command.
!
!--- Configuration for IPSec policies.
crypto ipsec transform-set myset esp-des esp-md5-hmac
!--- Enables the crypto transform configuration mode,
!--- where you can specify the transform sets that are used
!--- during an IPSec negotiation.
!
crypto map mymap 10 ipsec-isakmp
!--- Indicates that IKE is used to establish
!--- the IPSec security association for protecting the
!--- traffic specified by this crypto map entry.
set peer 200.1.2.1
!--- Sets the IP address of the remote end.
set transform-set myset
!--- Configures IPSec to use the transform-set
!--- "myset" defined earlier in this configuration.
match address 110
!--- Specifyies the traffic to be encrypted.
crypto map mymap 20 ipsec-isakmp
set peer 200.1.3.1
set transform-set myset
match address 120
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 200.1.1.1 255.255.255.0
no ip route-cache
!--- You must enable process switching for IPSec
!--- to encrypt outgoing packets. This command disables fast switching.
no ip mroute-cache
crypto map mymap
!--- Configures the interface to use the
!--- crypto map "mymap" for IPSec.
!
!--- Output suppressed.
ip classless
ip route 172.16.1.0 255.255.255.0 Ethernet0
ip route 192.168.1.0 255.255.255.0 Ethernet0
ip route 200.1.0.0 255.255.0.0 Ethernet0
ip http server
!
access-list 110 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 120 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!--- This crypto ACL-permit identifies the
!--- matching traffic flows to be protected via encryption.
Spoke 1 Router
2509
a#show running-config
Building configuration...
Current configuration : 1203 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log uptime
no service password-encryption
!
hostname 2509a
!
enable secret 5 $1$DOX3$rIrxEnTVTw/7LNbxi.akz0
!
ip subnet-zero
no ip domain-lookup
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 200.1.1.1
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 200.1.1.1
set transform-set myset
match address 110
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0
ip address 200.1.2.1 255.255.255.0
no ip route-cache
no ip mroute-cache
crypto map mymap
!
.
.
!--- Output suppressed.
.
.
ip classless
ip route 10.1.1.0 255.255.255.0 Ethernet0
ip route 192.168.1.0 255.255.255.0 Ethernet0
ip route 200.1.0.0 255.255.0.0 Ethernet0
no ip http server
!
access-list 110 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!
end
2509a#
Spoke 2 Router
×××2509#show running-config
Building configuration...
Current configuration : 1117 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log uptime
service password-encryption
!
hostname ×××2509
!
!
ip subnet-zero
no ip domain-lookup
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 200.1.1.1
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 200.1.1.1
set transform-set myset
match address 120
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0
ip address 200.1.3.1 255.255.255.0
!--- No ip route-cache.
no ip mroute-cache
crypto map mymap
!
.
.
!--- Output suppressed.
.
.
ip classless
ip route 10.1.1.0 255.255.255.0 Ethernet0
ip route 172.16.0.0 255.255.0.0 Ethernet0
ip route 200.1.0.0 255.255.0.0 Ethernet0
no ip http server
!
access-list 120 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
!
end
×××2509#
转载于:https://blog.51cto.com/bitstream/73484
路由器-路由器以及×××-Client之间的×××相关推荐
- 网络连接(三)集线器、交换机、路由器的功能和之间的异同,路由表和交换机中的表、为啥要地址转换、包过滤是啥?
只要不断坚持,最坏的结果无非是大器晚成 3.0 前言 3.1 通过网线到达集线器 3.2 经过交换机 3.3 经过路由器 3.4 交换机和路由器的异同 3.0 前言 本章主要讲的是网络包离开网卡之后经 ...
- 虚拟服务器与本地服务器互拼丢包,路由器与游戏服务器之间丢包
路由器与游戏服务器之间丢包 内容精选 换一换 虚拟私有云使用限制如表1所示.以上配额说明针对单租户情况.一个网络ACL单方向拥有的规则数量最好不超过20条,否则可能引起网络ACL性能下降.二层网关连接 ...
- 集线器(Hub)、交换机(Switch)与路由器(Router)之间的区别和联系
集线器--集线器也叫Hub,工作在物理层(最底层),没有匹配的软件系统,是纯硬件设备.集线器主要用来连接计算机等网络终端.集线器为共享带宽,连接在集线器上的任何一个设备发送数据时,其他所有设备必须等待 ...
- 【spring-cloud】Eureka server和client之间的心跳通信
为什么80%的码农都做不了架构师?>>> 启动两个Eureka Client,过了一会,停了其中一个,访问注册中心时,界面上显示了红色粗体警告信息: EMERGENCY! EU ...
- 网络工程基础——路由器路由器划分权限
网络工程基础--路由器路由器划分权限 实验环境:EVE-NG 实验拓扑图: 基础配置: R1(config)#interface g0/0 R1(config-if)#ip address 12.1. ...
- RIP1实验1(实现不同路由器 不同PC机之间的通信)
RIP1路由实验 本文以华为模拟器ensp为基础进行操作 一.实验拓扑图: ensp上构建的实验拓扑图: 二.实验准备 分析: 由上述的实验拓扑图可知,该拓扑图中共存在8个网络,那么所需要的网络地址一 ...
- 移动路由器当文件服务器,通过 SNMP 在路由器和 TFTP 服务器之间移动文件和镜像...
目录 本文档介绍如何使用简单网络管理协议(SNMP)在路由器和简单文件传输协议(TFTP)服务器之间移动配置文件和Cisco IOS®映像. 本文档的读者应了解SNMP和MIB. 本文档中的信息基于C ...
- 用路由器实现不同vlan之间的通信
一:用路由器实现不同vlan间的通信 1.1 拓扑图如下: (1)主机配置:PC-PT0和PC-PT1是vlan 100中的,PC-PT2和PC-PT3是vlan 200中的. PC-PT0的IP地址 ...
- 路由器和调制解调器和之间区别
路由器(Router)是一种计算机网络设备,它能将数据包通过一个个网络传送至目的地(选择数据的传输路径),这个过程称为路由.路由器就是连接两个以上各别网络的设备,路由工作在OSI模型的第三层--即网络 ...
最新文章
- NLP学习 资料总结
- 中国HBase技术社区第一届Meetup资料大合集
- java遍历两个日期_java 已知两个日期,遍历出两个日期之间所有的日期,重点是::包括第一个日期!!...
- 如何自动打开function对应的ABAP class
- C++的继承知识点重温
- Canvas入门03-绘制弧线和圆
- YII framework CComponent基础类解读(转)
- Android ListView显示底部的分割线
- 杭电ACM2030题
- poi在Excel中创建折线图
- python时间计算天数差
- 性能测试七种常用方法,以及四大应用领域
- re正则表达式匹配多行文本
- Linux主机名查看和更改
- RabbitMQ入门到掌握
- 组装电脑主板如何去选
- 经济危机与金融危机的学术解释与通俗到庸俗的解释,包你明白
- python polygon_python Polygon模块安装
- 最近日益火热的三农金融话题能为理财的首选吗
- 人物模型3d模型素材推荐 精品 小众